Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201601-05 ] OpenSSL: Multiple vulnerabilities
Date: Fri, 29 Jan 2016 23:44:30
Message-Id: 56ABF8E3.8000004@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201601-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: OpenSSL: Multiple vulnerabilities
9 Date: January 29, 2016
10 Bugs: #572854
11 ID: 201601-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in OpenSSL, allowing remote
19 attackers to disclose sensitive information and complete weak
20 handshakes.
21
22 Background
23 ==========
24
25 OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
26 (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
27 purpose cryptography library.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 dev-libs/openssl < 1.0.2f >= 1.0.2f
36
37 Description
38 ===========
39
40 Multiple vulnerabilities have been discovered in OpenSSL. Please review
41 the upstream advisory and CVE identifiers referenced below for details.
42
43 Impact
44 ======
45
46 A remote attacker could disclose a server's private DH exponent, or
47 complete SSLv2 handshakes using ciphers that have been disabled on the
48 server.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All OpenSSL users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2f"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2015-3197
67 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3197
68 [ 2 ] CVE-2016-0701
69 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0701
70 [ 3 ] OpenSSL Security Advisory [28th Jan 2016]
71 http://openssl.org/news/secadv/20160128.txt
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 https://security.gentoo.org/glsa/201601-05
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users' machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 https://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2016 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature